Windows8Forensics Syllabus 081815

Windows 8 Forensics
Advanced Three-Day Instructor-Led Course

For more information contact: info@syntricate.com
This advanced three-day course provides the knowledge and skills necessary to analyze the New Microsoft
Windows 8 operating system artifacts, user data and file system mechanics in Storage Spaces using the Forensic
Toolkit (FTK), FTK Imager and Registry Viewer. During this three-day workshop, participants will review Windows
8 features, learn of artifact locations for Internet Explorer and Immersive Application cache data, describe the new
File History service and artifact processing. Students will also review Windows 8 artifacts such as Virtual Hard
Disks, Storage Pools and updated NTFS structures finishing with an overview of core registry files and new values
of forensic interest pertaining to user activity on a Windows 8 system.
Prerequisites:
To obtain the maximum benefit from this course, you should meet the following requirements:
Able to understand course curriculum presented in English
Attendance at the AccessData Forensic BootCamp or equivalent experience with FTK, FTK
Imager, and Registry Viewer.
Familiarity with Windows NT file system (NTFS) mechanics
Familiarity with the Microsoft Windows environment and Windows forensic analysis
Basic knowledge of computer forensic investigations and acquisition procedures
Knowledge of Microsoft Windows environment
Class Materials and Software:
You will receive the associated materials prior to the course.
During this three-day course, participants will review the following:
Windows 8 File Structure Changes
o Folder Structures
o PageFile and SwapFile functions
o ToGo feature
o BitLocker updates
o Cloud integration overview
o Thumbnail caching
o PC Refresh options
GUID partition table schema
Immersive applications and their associated artifacts
Internet Explorer 10 and 11 forensic analysis
File History and System Restore Points
Storage Options
o Storage Spaces
o VHDx format
Windows 8 Registry structure and artifacts
(Continued on other side)
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.
Windows 8 Forensics
(Continued)
Module 1: Introduction
Topics:
Introductions
Class materials and software
Prerequisites
Class outline
Helpful Information
Lab:
Check system information
Select Windows Explorer display preferences
Prepare your system
Module 3: Disk and Folder Structures

Objectives:
Discuss the GUID (Globally Unique
Identification) partition table schema and its
implantation on a Windows 8x system
Review the system directories and user
profiles
Lab:
Examine GUID partition tables
Use FTK Imager and DPT entries to
recover forensic artifacts
Module 2: Windows 8 Overview

Objectives:
Discuss new features of Windows 8 and its
different version characteristics
Review Windows 8 folder structures
Identify the PageFile and SwapFile functions in
Windows 8
Provide a brief description of the Windows 8
ToGo feature
List the Windows 8 BitLocker updates
Discuss how Windows 8 provides cloud
integration
Identify how thumbnail caching has changed in
Windows 8
Review the PC Refresh Feature
Lab:
This lab familiarizes participants with new and
updated Windows 8 features
Module 4: Windows 8 Immersive Applications

Objectives:
Review Windows 8 Immersive Shell
Discuss live tiles
Discuss Immersive applications, including:
o The front end view
o Back end structures
o Local cached data
o Registry settings
Lab:
Recover forensic artifacts from Immersive
application files
Recover Immersive application artifacts
from the registry
Module 5: Internet Explorer 10 and 11
Objectives:
Understand the Modern UI (MUI) and
Desktop platforms of Windows 8
Understand the new features of IEv10,
including:
o Flip Ahead Feature
o Implicit and explicit sharing with
Windows Live Mail recipients
o Pin to Start feature
o Windows Store
o Enhanced URL address bar
o Enhanced Protected Mode (EPM)
o DOM storage
o Application caching (AC) in the
Packages directory
o No more index.dat files
Windows 8 Forensics
(Continued)
Discuss the correlation between a Storage
Pool and NTFS
Discuss best practices in processing a
Storage Space
Examine Windows Event Logs for elements
of storage mounting events
Lab:
Recover IEv10 artifacts from the directory
structure
Recover artifacts from Exchange Database
(EDB) files
Module 6: Windows 8 File History and System Restore
Points
Objectives:
Describe how a Windows 8 user initiates File
History
Discuss the location choices a user is presented
with when determining backup storage
Identify artifacts located in the users profile
Describe the processing of File History
administrative data
Identify version dates of backed-up files
Review Windows Event Logs for File History
actions
Recognize Registry data pertaining to system
and user preferences for the file history function
Lab:
Locate file history artifacts in the users profile
Review the USB device file history
Locate artifacts on the file history backup volume
Locate file history artifacts in the event log
Locate file history artifacts in the Windows
registry
Module 7: Windows Storage Options

Objectives:
Describe the storage options available to users
on a Windows 8 operating system
Describe the auto-mounting features introduced
in Windows 8 pertaining to Virtual Hard Disks and
ISO images
Describe the uses of a Virtual Hard Disk and
VHDx format virtual files
Describe a Storage Space and how a user can
create one
Examine a Storage Pool and recognize the data
structures contained within
Lab:
Use the OS to create a Storage Pool
Process a Virtual Hard Disk (VHD) in FTK
Locate VHD artifacts in the Windows
registry
Locate jump list artifacts
Locate VHD artifacts in the event log
Identify a Storage Pool
Module 8: Windows 8 Registry Introduction
Objectives:
Define the Windows registry structure and
function
List the forensic benefits of the registry
Identify the hives that make up the registry
and list the types of information associated
with each hive
Discuss navigating the registry using
traditional tools and Registry Viewer
Define different methods for obtaining both
live registry files and registry files from an
image
Categorize the three different methods of
searching for data in Registry Viewer
Lab:
Use FTK Imager to gather registry files
from the local machine
Create reports in Registry Viewer
Create a Summary report
Create a Summary report using wildcards
Windows 8 Forensics
(Continued)
Module 9: Windows 8 Registry Artifacts
Objectives:
Define new forensic values found in the core
system and user related registry files:
o SAM
o SYSTEM
o SOFTWARE
o NTUSER.DAT
o UsrClasses.DAT
o Settings.DAT
Lab:
Locate artifacts in the following registry files:
o SAM
o SYSTEM
o SOFTWARE
o BBI
o NTUSER.DAT
o UsrClasses.DAT
o Settings.DAT
o Amcache
Module 10: Windows 8 PC Refresh
Objectives:
Reset or refresh your computer
Understand the issues surrounding PC Refresh
Lab:
Examine Reset artifacts
Module 11: Final Exercise
Objectives:
This module allows participants to apply
information from the course to recover Windows 8
artifacts from a sample image file.

Windows8Forensics Syllabus 081815

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows8Forensics Syllabus 081815

Uploaded by

Copyright:

Available Formats

Windows 8 Forensics

Advanced Three-Day Instructor-Led Course

(Continued on other side)

Module 3: Disk and Folder Structures

Module 2: Windows 8 Overview

Module 4: Windows 8 Immersive Applications

Module 7: Windows Storage Options

You might also like